WordPress is the most widely used CMS in the world, now powering over 20% of the internet. This popularity unfortunately draws it’s fair share of attention from malicious code making WordPress the most commonly targeted CMS by hackers. WordPress itself is actually very secure, the risks of having your site exploited start arising as you add 3rd party plugins, use insecure passwords and let WordPress and your themes/plugins get out of date.

We’ve put together a few simple tips to ensure your site has the lowest risk of being exploited:

Keep WordPress up to date

It only take a few minutes every week to log into your WordPress dashboard, check for available updates and run the updater. These days it’s very unlikely that updates will break your site providing you’re using reputable plugins. Just add this as a weekly task to complete on your to-do list/calendar and you won’t fall behind.

NOTE: Always have a backup available in case of an update failure. There are plenty of free backup plugins available that you can run manually or even set to a schedule.

Use a security plugin

Security plugins can help you quickly patch many potentially vulnerable areas of your website such as limiting the number of login attempts to your WordPress admin and removing the user admin which is commonly used to try and brute force a site. There’s many different plugins available both free and paid so I’ll just go ahead and list some known reputable options. Feel free to do your own research and pick the one that best suits you.

iThemes Security

Wordfence Security

BulletProof Security

Sucuri Security

All In One WP Security & Firewall

Remove unused plugins/themes

Remove any themes you are not using and remove (rather than just disable) any plugins you are not using on your site. We commonly see new plugins or themes installed when a site is exploited, giving attackers another way into your site once you’ve updated.

Use secure passwords

The most common way services in general (not just WordPress) are hacked is due to a weak password that was guessed using a dictionary based attack. Put simply a hacker has a big list of commonly used passwords that are tested against a list of usernames hoping for a match. Most peoples objection to using a strong password and separate passwords for different services is trying to remember them all. To get around this challenge there are now password management tools like LastPass and KeePass which provide and encrypted vault to store all your passwords in safely ready to pull them out as required. These tools also help with the generation of strong passwords.

By just following these three tips your WordPress site will be protected against the vast majority of the everyday attacks on WordPress sites. If you want to take things a step further there’s additional things you can do to WordPress like using a 2-factor authentication plugin, locking down wp-admin to particular IP addresses or using a 3rd party detection/prevention service like Sucuri.

An often underutilised feature within all our hosting accounts is SpamAssassin spam filtering. When enabled it allows you to filter out spam messages with the goal of keeping your inbox clear of junk email and nasty attachments. Unfortunately spam detection is not perfect for everyone straight away, it requires some tweaking to fit your workflow which we’ll run through below.

To use the feature simply go to Mail -> Your@EmailAddress.com -> Spam Filter

The first step is to turn the spam filtering service on

Next we need to decide how we want to deal with spam:

The first option simply adds a tag to the email and leaves it in your inbox. If you run rules in Outlook for sorting messages this can be useful as you can make a rule to action mail with the ***SPAM*** tag in the subject.

The next option deletes all spam messages completely. This setting should only be used once you’re confident in your spam detection that there is little chance of false positives. We’ll run through how to do that below

The last option moves detected spam to a dedicated spam folder. This option is great if you primarily access your email via an IMAP connection or through our webmail client. Simply check the Spam folder periodically to make sure there are no false positives.

The next thing to configure is spam sensitivity. The spam filter runs through every incoming email and gives it a score from 1-10 where 1 is very unlikely to be a spam message and 10 is almost guaranteed to be a spam message. By adjusting what the minimum score the filter declares a message as spam we can control how aggressive the spam filter is. Our goal is to get it to the point where as much spam as possible is being caught without a significant number of false positives. The default value of 7 is pretty good but if you are still getting to much try 6, then 5 while if you’re getting to many false positives, try setting it to 8.

There’s also a black/white list available to overrule the spam filter. You can specify individual email addresses (email@address.com)or whole domains (*@domain.com) in these lists. An email in the whitelist will be ignored by the spam filter and always make it to your inbox, while an email in the blacklist will always be classed as spam.

If after using this spam filter for a while and optimising it’s settings you find you are still receiving too much spam or getting too many false positives we do have a premium anti-spam filter available, which come standard with our managed hosting plans.

FAST.hit Web Hosting supports Microsoft® SQL Server 2008 and Microsoft® SQL Server 2012 database hosting as an add-on to all current hosting plans. Our MS SQL Service is great for small to large sized databases with any amount of traffic.

SQL databases are hosted on optimized and secure dedicated SQL servers. We DO NOT host SQL on the same boxes as customer web sites!